
HostKey _INSERT_HOST_KEY_
AuthorizedKeysFile _INSERT_AUTHORIZED_KEYS_FILE_

# The following option is not supported by all recent versions of OpenSSH,
# so instead we rely on injection of the shell setup command in the authorized
# keys file.
#ForceCommand _INSERT_FORCE_COMMAND_

# as a convenience to users, allow remote setting of environment
# since sshd is running as the job uid, there isn't really a security concern
AcceptEnv *

Subsystem       sftp    /usr/libexec/sftp-server

# prevent sshd from freaking out about reading files from inside
# a tmp-like directory
StrictModes no

# Rejection by tcp wrappers is not logged at INFO or VERBOSE log levels,
# so to make diagnosis of problems easier, we use DEBUG.
LogLevel DEBUG

X11Forwarding yes

# By default, OpenSSH uses the ipv6 loopback even if ipv6 is disabled in the
# kernel.  This forces OpenSSH to use the "local" network instead
X11UseLocalhost no

# The following settings are recommended for good security.
# In particular, only FIPS 140-2 algorithms are used.
# URLs for extra information re FIPS security compliance:
#    https://rhel7stig.readthedocs.io/en/latest/
#    https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/
#    https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig-manual.html

#-FIPS High Severity
Protocol 2
PermitEmptyPasswords no

#-FIPS Medium Severity
# Note: Ciphers and MACs below will be incompatible with RHEL5 or earlier.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-256,hmac-sha2-512
PermitRootLogin no
PermitUserEnvironment no
GSSAPIAuthentication no
KerberosAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
PrintLastLog yes
UsePrivilegeSeparation yes # sandbox separation not supported in RHEL6
Compression delayed

#-Recommended for security, but left out ssh_to_job config
# because they provide minimal value and are likely to annoy
# users or generate needless warnings in the ssh_to_job setting.
#
# ClientAliveInterval 600  # Note: condor_submit -i sets TMOUT
# ClientAliveCountMax 0
# banner=/etc/issue # Set to your warning banner
# StrictModes yes # Can't set due to tmp-like directory
# RhostsRSAAuthentication yes # Obsolete Protocol version 1 option
